How does SSO with Opus work?

We utilise a tool called Keycloak, which acts as the authentication layer for logging into Opus using SSO. Keycloak is an open source identity and access management solution that allows us to authenticate against a number of different IdP providers, as well as ADFS, using the SAML 2.0 protocol.

Authentication Flow

Once enabled, you can setup which users will authenticate using SSO from the System Admin -> Users page. For these users; from the login page, you can click on 'Single Sign-On' - which will start the authentication process. (IdP initiated login is not supported in the current version of Keycloak).

Once you start the authentication, a token is requested from Keycloak which will send a SAML 2.0 request to your IdP - authenticating the user against your IdP and as such, no password credentials are stored within Opus2 or Keycloak.

Workflow for enabling SSO

If you wish to enable SSO on your server, please contact the Opus2 support team who will guide you through the process and provide further documentation tailored to your setup and requirements.

An overview of the required steps is listed below;

- First we need an XML or URL to the necessary IdP metadata, which should include the SAML endpoint. (e.g.

- Opus2 can then provide an equivalent XML or URL to be used for setting up the trust in your IdP provider.

- We then add in the appropriate Attribute Mappings to ensure the; email, first name and last name gets pulled in as part of the authentication and login process.

- We can then turn on SSO on your server and test out the connection, which can done in a test environment to ensure no disruption to production usage.

- Once the testing has verified the login process, we can then arrange a time to switch over any current users to SSO, allowing them to retain all their previous work product and account information.

The setup is best done over a meeting screen-share so we can ensure the correct information is added as part of the setup, as well as allowing us to troubleshoot any issues or requirements as needed. We can also provide you with Admin accounts in Keycloak to allow you setup and configure your IdP information as needed.

For more information on Keycloak, please visit their website;